A critical flaw in the Mallox ransomware, formerly known as TargetCompany, has recently been uncovered by Avast researchers, providing victims with the chance to recover their encrypted files without paying a ransom. Mallox has been a significant threat to organizations worldwide, evolving through several iterations since its emergence. The ransomware has demonstrated adaptability, but the latest versions active throughout 2023 and early 2024 have been compromised by a vulnerability in their cryptographic schema. This flaw enables victims to decrypt their files without needing the private ECDH key, offering a rare opportunity for recovery that bypasses the traditional reliance on ransom payments.
The vulnerability was present in Mallox ransomware for several months before the attackers took steps to patch it in March 2024. Victims can identify if they were affected by the decryptable version by checking for specific file extensions, including .bitenc, .ma1x0, .mallab, .malox, .mallox, and .xollam. Additionally, ransom notes such as “FILE RECOVERY.txt” or “HOW TO RESTORE FILES.txt” are typically left in the compromised folders, indicating an infection by the vulnerable version of the malware. Avast has since released a free decryption tool, which allows users impacted by this ransomware to recover their files without engaging with the ransomware operators or paying the ransom demands.
The decryption process is straightforward but requires users to run the tool on the originally infected computer, which necessitates administrative privileges for successful decryption. Avast recommends that users back up all encrypted files before attempting recovery to prevent any potential data loss. This availability of a decryption solution represents a significant setback for the Mallox operation, which had been actively targeting various organizations across multiple sectors. The ransomware group maintained a presence on social media platforms and operated a Dark Web leak site where they documented their victims through June 2024, showcasing their malicious activities and the data they had exfiltrated.
This discovery highlights the ongoing battle between cybersecurity experts and ransomware groups, emphasizing the importance of maintaining strong cybersecurity defenses and remaining vigilant against evolving threats. While the decryption tool provides hope to many victims, experts stress the necessity of regular backups, robust security measures, and continuous monitoring for suspicious system behaviors. Organizations should be alert to unusual memory usage or processing loads, as these could indicate a ransomware attack in progress. Ultimately, the ability to recover files without paying a ransom underscores the significance of cybersecurity awareness and the proactive steps organizations must take to protect their data and systems from such threats in the future.
